Question about managed-keys-zone

Bjoern Kahl mls at bjoern-kahl.de
Fri Apr 8 16:26:37 UTC 2016 

Am 08.04.16 um 16:11 schrieb Bhangui, Sandeep - BLS CTR:
> Thanks Jeremy
> 
> 
> Logging section from named.conf
> 
> logging {
>         channel "named-log" {
>                 file "/usr/local/named-jail9.10.3P4/var/adm/named.log" versions 3 size 30m;

 That is wrong, if your named runs in a chroot jail (guessing from
 "named-jail9.10.3P4" you run it in a jail).

 Assuming your named jail is "/usr/local/named-jail9.10.3P4", you must
 name the file relative to the jail, i.e. "/var/adm/named.log".

 Note the leading "/" in the file name.  When running chroot jailed,
 named set the root "/" of its view of the file system early in startup,
 so all paths need to be specified starting from the new root.


>                 severity info;
>                 print-time yes; print-category yes; print-severity yes;
>         };
> 
>         channel "named-lame" {
>                 file "/usr/local/named-jail9.10.3P4/var/adm/named.lame" versions 3 size 30m;
>                 severity info;
>                 print-time yes; print-category yes; print-severity yes;
>         };
> 
>         channel "named-querylog" {
>                 file "/usr/local/named-jail9.10.3P4/var/adm/named.querylog" versions 3 size 30m;
>                 severity dynamic;
>                 print-time yes; print-category yes; print-severity yes;
>         };
> 
>         category "general" { "named-log"; };
>         category "security" { "named-log"; };
>         category "xfer-in" { "named-log"; };
>         category "xfer-out" { "named-log"; };
>         category "client" { "named-log"; };
>         category "update" { "named-log"; };
>         category "lame-servers" { "named-lame"; };
>         category "queries" { "named-querylog"; };
>         category edns-disabled { null; };
>         /* category "delegation-only" { "named-querylog"; }; */
> };
> 
> 
> And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists and the files are there....owned by named:named.
> 
> I know it using rndc is a good practice but is there an option to specify in named.conf to disable it?
> 
> -----Original Message-----
> From: Jeremy C. Reed [mailto:jreed at isc.org] 
> Sent: Friday, April 08, 2016 9:37 AM
> To: Bhangui, Sandeep - BLS CTR <Bhangui.Sandeep at bls.gov>
> Cc: Bind Users Mailing List <bind-users at lists.isc.org>
> Subject: Re: Question about managed-keys-zone
> 
> On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> 
> 
>> '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2
> 
> Unrelated to your problem, but the --enable-newstats configure switch is not used for BIND 9.10.
> 
>> 1. Cannot seem to start named and it seems that it is looking for some 
>> keys to validation locally.
> 
> (I reordered your email some:)
> 
>> Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open 
>> '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not 
>> found Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging: 
>> file not found Apr 7 15:15:32 cfdnsquar01 named[37952]: loading 
>> configuration: file not found Apr  7 15:15:32 cfdnsquar01 
>> named[37952]: exiting (due to fatal error)
> 
> Your named cannot start due to logging configuration. You didn't share your configuration elated to it, but does the directory /usr/local/named-jail9.10.3P4/var/adm/ exist?
> 
>  
>> I believe managed-key-zone validation is by default enabled in 
>> Bind......is there an option that I can use in named.conf file to 
>> disable that so that it does not look for the key......I guess this is 
>> just a self-validation on the master itself and has nothing to do with 
>> DNSSEC signing as it seems I am not even able to get the named up...
> 
> Yes, it is unrelated.
> 
>> I guess question is do I have an option that I can specify such that 
>> it will not look for self-validation keys at all so that I do not have 
>> to deal with rndc.key and rndc.conf or is this something I cannot get 
>> by with when I use "views" ? Or am I not understanding this properly?
> 
> The rndc keys (used for connecting to the control interface) are unrelated to the keys used with DNSSEC.  But for operations it is a good idea. See the ARM and/or rndc-confgen manpage about generating the rndc configuration.
> 
> Let's get your named startup working first before we work on your goal. 
> (If I understand correctly, you want named to serve internally unsigned zones, an external appliance will sign the zones, and then named can then serve the signed zones publicly.)
> 


-- 
|     Bjoern Kahl   +++   Siegburg   +++    Germany     |
|     "mls at -my-domain-"   +++    www.bjoern-kahl.de     |
| Languages: German, English, Ancient Latin (a bit :-)) |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 291 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160408/89612eed/attachment-0001.bin>

More information about the bind-users mailing list